Emotet Wishes You a Merry Christmas from Greta Thunberg

Recently, the Proofpoint Threat Insight team, among other researchers, observed a global malicious email campaign that leveraged a number of topical lures in a single message that attempts to deliver the well-known malware Emotet. This campaign combines the following four elements:

  • The renowned Swedish environmental activist Greta Thunberg
  • The Christmas holidays
  • Environmental awareness and activism
  • Time Magazine’s recent naming of Thunberg as their “Person of the Year”

Figure 1 shows an example of the malicious email messages our researchers have seen in English.

Figure 1 Malicious Email Sample in English Highlighting Greta Thunberg

As you can see in the lower right corner, the email contains an attached Microsoft Word document named “Support Greta Thunberg.doc”. When the recipient opens this attachment, the Emotet malware is installed.

Emotet is a banking Trojan that has been around since 2014 and has recently made a significant comeback. In our Q3 Threat Report, our researchers found that Emotet accounted for nearly 12% of all malicious email in that quarter.

Emotet attacks have been known for being global in scope, and this attack is no exception. In addition to the targeting of .com email addresses, our researchers have seen malicious emails specifically using email addresses associated the following countries’ top-level domains (in order of volume we’ve seen):

  1. Japan
  2. Germany
  3. Italy
  4. United Arab Emirates
  5. Australia
  6. United Kingdom
  7. Switzerland
  8. European Union
  9. United States
  10. Austria
  11. Canada
  12. Singapore

It’s also interesting to note that we’ve seen significant targeting of .edu domains. In fact, we saw more .edu domains attacked than domains associated with any specific country. This makes sense given the strong support Thunberg has among students and young people.

These attacks are not only global in their targeting but also in their use of native-language lures. Our researchers have seen malicious emails with subject lines in Spanish, Italian, French and Polish. You can find examples of the lures and subject lines we’ve seen in these languages as well as English at the end of this blog.

This campaign serves as a reminder that attackers won’t hesitate to target people’s best intentions during this holiday season. It also serves as a mark of how significant environmental awareness has become and how well-known Greta Thunberg is globally. Attackers choose their lures carefully: in many ways their lures are a reliable barometer of public interest and awareness.

Non-Language Specific Subject Lines

  • Greta Thunberg
  • Greta
  • **Greta**
  • *Greta*
  • ===Greta===
  • =Greta Thunberg=
  • =Greta=
  • FW: *Greta*
  • Greta
  • Greta Thunberg

English Subject Lines

  • Support Greta
  • Support Greta - Time Person of the Year 2019
  • Support Greta Thunberg
  • Support Greta Thunberg - Time Person of the Year
  • Support Greta Thunberg - Time Person of the Year 2019
  • **Support Greta**
  • FW: Support Greta - Time Person of the Year 2019

Spanish Subject Lines

  • Apoya a Greta
  • Apoya a Greta Thunberg

Italian Subject Lines and Sample

  • Sostieni Greta
  • Sostieni Greta - Time Person of the Year 2019
  • Sostieni Greta Thunberg
  • Sostieni Greta Thunberg - Time Person of the Year
  • Sostieni Greta Thunberg - Time Person of the Year 2019

Figure 2 Malicious Email Sample in Italian Highlighting Greta Thunberg

French Subject Lines and Sample

  • Soutenez Greta - Time Person of the Year 2019
  • Soutenez Greta Thunberg
  • Soutenir Greta

Figure 3 Malicious Email Sample in French Highlighting Greta Thunberg

Polish Subject Lines and Sample

  • Wspieraj Greta
  • Wspieraj Greta - Time Person of the Year 2019
  • Wspieraj Greta Thunberg
  • Wspieraj Greta Thunberg - Time Person of the Year 2019
  • Wspieraj Greta Thunberg - Time Time of the Year

Figure 4 Malicious Email Sample in Polish Highlighting Greta Thunberg